agenttesla | 8878f15cafbcb057a086d9e13afc279622885d29c9f51daa8ca67336ebaa455b

General

Target

8878f15cafbcb057a086d9e13afc279622885d29c9f51daa8ca67336ebaa455b.exe
Size

1.1MB
MD5

e1f5e820f3cc517274cfb73f4e09f1e2
SHA1

f3c7954e415e73fcdef51171aa55155a9e4fa426
SHA256

8878f15cafbcb057a086d9e13afc279622885d29c9f51daa8ca67336ebaa455b
SHA512

3dfcbaf9ed039babfc68b6746ee9c65a88213820cb203affa0183340e2013fc83a4bdf20126df88019c3d677492f3977f9352e01ca4dad100cbb1ae364688223
SSDEEP

24576:+AHnh+eWsN3skA4RV1Hom2KXMmHa57GZp0R2NW/5:ph+ZkldoPK8Ya57GZQ2k

Score

10^/10

agenttesla keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.electromedica.com
Port:
587
Username:
[email protected]
Password:
2018A723?v
Email To:
[email protected]

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Detect packed .NET executables. Mostly AgentTeslaV4. 4 IoCs

resource	yara_rule
behavioral1/memory/2572-31-0x0000000000090000-0x00000000000D2000-memory.dmp	INDICATOR_EXE_Packed_GEN01
behavioral1/memory/2572-40-0x0000000000090000-0x00000000000D2000-memory.dmp	INDICATOR_EXE_Packed_GEN01
behavioral1/memory/2572-37-0x0000000000090000-0x00000000000D2000-memory.dmp	INDICATOR_EXE_Packed_GEN01
behavioral1/memory/2572-33-0x0000000000090000-0x00000000000D2000-memory.dmp	INDICATOR_EXE_Packed_GEN01

Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers. 4 IoCs

resource	yara_rule
behavioral1/memory/2572-31-0x0000000000090000-0x00000000000D2000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_References_Browsers
behavioral1/memory/2572-40-0x0000000000090000-0x00000000000D2000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_References_Browsers
behavioral1/memory/2572-37-0x0000000000090000-0x00000000000D2000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_References_Browsers
behavioral1/memory/2572-33-0x0000000000090000-0x00000000000D2000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_References_Browsers

Detects executables referencing Windows vault credential objects. Observed in infostealers 4 IoCs

resource	yara_rule
behavioral1/memory/2572-31-0x0000000000090000-0x00000000000D2000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID
behavioral1/memory/2572-40-0x0000000000090000-0x00000000000D2000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID
behavioral1/memory/2572-37-0x0000000000090000-0x00000000000D2000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID
behavioral1/memory/2572-33-0x0000000000090000-0x00000000000D2000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID

Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers 4 IoCs

resource	yara_rule
behavioral1/memory/2572-31-0x0000000000090000-0x00000000000D2000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
behavioral1/memory/2572-40-0x0000000000090000-0x00000000000D2000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
behavioral1/memory/2572-37-0x0000000000090000-0x00000000000D2000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
behavioral1/memory/2572-33-0x0000000000090000-0x00000000000D2000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store

Detects executables referencing many email and collaboration clients. Observed in information stealers 4 IoCs

resource	yara_rule
behavioral1/memory/2572-31-0x0000000000090000-0x00000000000D2000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
behavioral1/memory/2572-40-0x0000000000090000-0x00000000000D2000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
behavioral1/memory/2572-37-0x0000000000090000-0x00000000000D2000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
behavioral1/memory/2572-33-0x0000000000090000-0x00000000000D2000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients

Detects executables referencing many file transfer clients. Observed in information stealers 4 IoCs

resource	yara_rule
behavioral1/memory/2572-31-0x0000000000090000-0x00000000000D2000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients
behavioral1/memory/2572-40-0x0000000000090000-0x00000000000D2000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients
behavioral1/memory/2572-37-0x0000000000090000-0x00000000000D2000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients
behavioral1/memory/2572-33-0x0000000000090000-0x00000000000D2000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs	name.exe

Executes dropped EXE 1 IoCs

pid	Process
2424	name.exe

Loads dropped DLL 1 IoCs

pid	Process
2104	8878f15cafbcb057a086d9e13afc279622885d29c9f51daa8ca67336ebaa455b.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\ZFzKrzC = "C:\\Users\\Admin\\AppData\\Roaming\\ZFzKrzC\\ZFzKrzC.exe"	RegSvcs.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	api.ipify.org

AutoIT Executable 3 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/files/0x0007000000016d2b-12.dat	autoit_exe
behavioral1/memory/2424-29-0x0000000000030000-0x0000000000144000-memory.dmp	autoit_exe
behavioral1/memory/2424-41-0x0000000000030000-0x0000000000144000-memory.dmp	autoit_exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2424 set thread context of 2572	2424	name.exe	29

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2572	RegSvcs.exe
2572	RegSvcs.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
2424	name.exe
2424	name.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2572	RegSvcs.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
2104	8878f15cafbcb057a086d9e13afc279622885d29c9f51daa8ca67336ebaa455b.exe
2104	8878f15cafbcb057a086d9e13afc279622885d29c9f51daa8ca67336ebaa455b.exe
2424	name.exe
2424	name.exe

Suspicious use of SendNotifyMessage 4 IoCs

pid	Process
2104	8878f15cafbcb057a086d9e13afc279622885d29c9f51daa8ca67336ebaa455b.exe
2104	8878f15cafbcb057a086d9e13afc279622885d29c9f51daa8ca67336ebaa455b.exe
2424	name.exe
2424	name.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2104 wrote to memory of 2424	2104	8878f15cafbcb057a086d9e13afc279622885d29c9f51daa8ca67336ebaa455b.exe	28
PID 2104 wrote to memory of 2424	2104	8878f15cafbcb057a086d9e13afc279622885d29c9f51daa8ca67336ebaa455b.exe	28
PID 2104 wrote to memory of 2424	2104	8878f15cafbcb057a086d9e13afc279622885d29c9f51daa8ca67336ebaa455b.exe	28
PID 2104 wrote to memory of 2424	2104	8878f15cafbcb057a086d9e13afc279622885d29c9f51daa8ca67336ebaa455b.exe	28
PID 2424 wrote to memory of 2572	2424	name.exe	29
PID 2424 wrote to memory of 2572	2424	name.exe	29
PID 2424 wrote to memory of 2572	2424	name.exe	29
PID 2424 wrote to memory of 2572	2424	name.exe	29
PID 2424 wrote to memory of 2572	2424	name.exe	29
PID 2424 wrote to memory of 2572	2424	name.exe	29
PID 2424 wrote to memory of 2572	2424	name.exe	29
PID 2424 wrote to memory of 2572	2424	name.exe	29

C:\Users\Admin\AppData\Local\Temp\8878f15cafbcb057a086d9e13afc279622885d29c9f51daa8ca67336ebaa455b.exe
"C:\Users\Admin\AppData\Local\Temp\8878f15cafbcb057a086d9e13afc279622885d29c9f51daa8ca67336ebaa455b.exe"
1⤵
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2104
- C:\Users\Admin\AppData\Local\directory\name.exe
  "C:\Users\Admin\AppData\Local\Temp\8878f15cafbcb057a086d9e13afc279622885d29c9f51daa8ca67336ebaa455b.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:2424
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
    "C:\Users\Admin\AppData\Local\Temp\8878f15cafbcb057a086d9e13afc279622885d29c9f51daa8ca67336ebaa455b.exe"
    3⤵
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2572

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\directory\name.exe

Filesize
1.1MB

MD5
e1f5e820f3cc517274cfb73f4e09f1e2

SHA1
f3c7954e415e73fcdef51171aa55155a9e4fa426

SHA256
8878f15cafbcb057a086d9e13afc279622885d29c9f51daa8ca67336ebaa455b

SHA512
3dfcbaf9ed039babfc68b6746ee9c65a88213820cb203affa0183340e2013fc83a4bdf20126df88019c3d677492f3977f9352e01ca4dad100cbb1ae364688223

Download Submit
memory/2104-10-0x0000000000130000-0x0000000000134000-memory.dmp

Filesize
16KB

Download
memory/2424-29-0x0000000000030000-0x0000000000144000-memory.dmp

Filesize
1.1MB

Download
memory/2424-41-0x0000000000030000-0x0000000000144000-memory.dmp

Filesize
1.1MB

Download
memory/2572-37-0x0000000000090000-0x00000000000D2000-memory.dmp

Filesize
264KB

Download
memory/2572-40-0x0000000000090000-0x00000000000D2000-memory.dmp

Filesize
264KB

Download
memory/2572-33-0x0000000000090000-0x00000000000D2000-memory.dmp

Filesize
264KB

Download
memory/2572-31-0x0000000000090000-0x00000000000D2000-memory.dmp

Filesize
264KB

Download
memory/2572-42-0x00000000746DE000-0x00000000746DF000-memory.dmp

Filesize
4KB

Download
memory/2572-43-0x00000000746D0000-0x0000000074DBE000-memory.dmp

Filesize
6.9MB

Download
memory/2572-45-0x00000000746DE000-0x00000000746DF000-memory.dmp

Filesize
4KB

Download
memory/2572-46-0x00000000746D0000-0x0000000074DBE000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads